Ransomware is computer malware that installs covertly on a victim’s device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim’s data, until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may also encrypt the computer’s Master File Table (MFT) or the entire hard drive. Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

While initially popular in Russia, the use of ransomware scams has grown internationally; in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012. Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities, and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.


The Anatomy of an Attack

Unlike some common malware variants, ransomware attempts to remain hidden for as long as possible. This is to allow time to encrypt your personal files. Ransomware is designed to keep the maximum amount of system resources available to the user, as not to raise the alarm. Consequently, for many users, the first indication of a ransomware infection is a post-encryption message explaining what has happened.

Compared to other malware, ransomware’s infection process is quite predictable. The user will download an infected file: this contains the ransomware payload. When the infected file is executed, nothing will appear to happen immediately (depending on the type of infection). The user remains unaware that ransomware begins to encrypt their personal files.

Is It Different From “Ordinary” Malware?

Ransomware and malware share a common goal: remaining obscured. The user maintains a chance of fighting the infection if it is spotted before long. The magic word is “encryption.” Ransomware takes its place in infamy for its use of encryption, whereas encryption has been used in malware for a very long time.


Read More